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Abstract. We take a process component as a pair of an interface and a 
behaviour. We study the composition of interacting process components 
in the setting of process algebra. We formalize the interfaces of interact- 
ing process components by means of an interface group. An interesting 
feature of the interface group is that it allows for distinguishing between 
expectations and promises in interfaces of process components. This dis- 
tinction comes into play in case components with both client and server 
behaviour are involved. 
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1 Introduction 

Component interfaces are a practical tool for the development of all but the most 
elementary architectural designs. In [7], interface groups have been proposed 
as a means to formalize the interfaces of the components of financial transfer 
architectures. The interface groups introduced in that paper concern component 
behaviours of a special kind, namely financial transfer behaviours of units of 
an organization. In this paper, we introduce an interface group which concerns 
behaviours of a more general kind, namely behaviours that can be viewed as 
processes specifiable in the process algebra known as ACP [3,9]. 

An interface group is a commutative group intended for describing and 
analysing interfaces. The interface group introduced in this paper concerns inter- 
faces of process components that request other components to carry out methods 
and grant requests of other components to carry out methods. The interfaces in 
question represent the abilities to grant requests that are expected from other 
components and the abilities to make requests that are promised to other compo- 
nents. The ability to make a certain request and the ability to grant that request 
are considered to cancel out in interfaces. Thus, having an empty interface is a 
sufficient condition on a process component for being a closed system. Interfaces 
as modelled by the interface group introduced in this paper have less structure 



This research was partly carried out in the framework of the Jacquard-project Sym- 
biosis, which is funded by the Netherlands Organisation for Scientific Research 
(NWO). 



than the signatures used as interfaces in module algebra [4]. However, module 
algebra does not allow for distinguishing between expectations and promises 
in interfaces of components. In point of fact, it has a bias towards composing 
components whose interfaces concern promises only. 

We also present a theory about process components of which the interface 
group introduced forms part. Like any notion of component, the notion of process 
component underlying this theory combines interface with content: a process 
component is considered a pair of an interface and a behaviour. Processes as 
considered in ACP are taken as the behaviours of process components. Therefore, 
the theory concerned is a development on top of ACP. However, additional 
assumptions are made about the actions of which the processes are made up. 
Three kinds of actions are distinguished: the acts of making requests referred to 
above, the acts of granting requests referred to above, and the acts of carrying 
out methods which result from making a request and granting that request at 
the same time. The use of the presented theory about process components is 
illustrated by means of examples. A model of the theory is constructed, using a 
notion of bisimilarity for process components. 

In the presented theory about process components, composition of process 
components is in general not associative. Little can be done about this because 
turning a process into a component by adding an interface to it inevitably results 
in encapsulation of the process. However, composition of process components is 
associative when a certain condition on the process components in question is 
fulfilled. We couch this in a special associativity axiom for component composi- 
tion. 

In the presented theory about process components, processes reside at places, 
called loci, and requests and grants are addressed to the processes residing at 
a certain locus. If the processes that are taken as the behaviours of process 
components are looked at in isolation, it may be convenient to abstract from the 
loci at which they reside. This abstraction gives rise to another kind of processes. 
We treat this kind of processes, referred to as localized processes, as well. 

A system composed of a collection of process components is a closed system 
if the actions that make up its behaviour include neither acts of making requests 
nor acts of granting requests. It is generally undecidable whether a system com- 
posed of a collection of process components is a closed system. This state of 
affairs forms part of the motivation for developing the theory about process 
components presented in this paper. In the presented theory, having an empty 
interface is a sufficient condition for being a closed system and it is decidable 
whether an interface is empty. 

The structure of this paper is as follows. First, we review ACP (Section 2) 
and guarded recursion in the setting of ACP (Section 3), and present the actions 
that make up the processes being considered in later sections (Section 4). Next, 
we introduce a theory about integers (Section 5) and a theory about interfaces 
(Section 6). Then, we extend ACP, using the theories just introduced, to a the- 
ory about process components (Section 7). Following this, we go into the matter 
that component composition is in general not associative (Section 8) and discuss 



2 



the connection between empty interfaces and closed systems (Section 9). After 
that, we give two examples of the use of the presented theory about process com- 
ponents (Sections 10 and 11). Thereupon, we introduce a notion of bisimilarity 
for process components (Section 12) and construct a model of the presented 
theory about process components using this notion of bisimilarity (Section 13). 
Following that, we extend the theory about process components developed so far 
with localized processes (Section 14) . Finally, we make some concluding remarks 
(Section 15). 

2 Algebra of Communicating Processes 

In this section, we shortly review ACP (Algebra of Communicating Processes), 
the algebraic theory about processes that was first presented in [5]. For a com- 
prehensive overview of ACP, the reader is referred to [9]. Although ACP is 
one-sorted, we make this sort explicit. The reason for this is that we will extend 
ACP to a theory with four sorts in Section 7. 

In ACP, it is assumed that a fixed but arbitrary finite set of actions A, 
with 5 £ A, has been given. We write As for A U {5}. It is further assumed 
that a fixed but arbitrary commutative and associative communication function 
| : As x As — > As, with S \ a = S for all a e As, has been given. The function 
| is regarded to give the result of synchronously performing any two actions for 
which this is possible, and to be 6 otherwise. 

ACP has one sort: the sort P of processes. To build terms of sort P, ACP 
has the following constants and operators: 

— the deadlock constant 6 : P; 

— for each a G A, the action constant a : P; 

— the binary alternative composition operator + :PxP^P; 

— the binary sequential composition operator :PxP^P; 

— the binary parallel composition operator |j : P x P — ► P; 

— the binary left merge operator |:PxP^P; 

— the binary communication merge operator :PxP^P; 

— for each H C A, the unary encapsulation operator Oh ■ P — > P- 

Terms of sorts P are built as usual for a one-sorted signature (see e.g. [17, 16]) 
Throughout the paper, we assume that there arc infinitely many variables of 
sort P, including x, y, z, x' , y' and z'. 

We use infix notation for the binary operators. The following precedence 
conventions are used to reduce the need for parentheses. The operator + binds 
weaker than all other binary operators to build terms of sort P and the operator 
• binds stronger than all other binary operators to build terms of sort P. 

Let P and Q be closed terms of sort P, a e A, and H C A. Intuitively, the 
constants and operators to build terms of sort P can be explained as follows: 

— S can neither perform an action nor terminate successfully; 

— a first performs action a and then terminates successfully; 
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Table 1. Axioms of ACP 



(x + y) ■ z — x ■ z + y ■ z 
(x -y) ■ z = x ■ (y ■ z) 
x + 8 — x 



x + x — x 



x + y = y + x 

(x + y) + z = x + (y + z) 



8 ■ x = 8 



A4 



A6 



Al 



A7 



A2 



A3 



A5 



x\\y={x^y + y^x)+x\y CM1 

a \[x = a ■ x CM2 

a-x\\_y = a-{x\\y) CM3 

(x + y) \\_z = x \\_z + y \\_z CM4 

a ■ x | b = (a | b) ■ x CM5 

a | b ■ x = (a | b) ■ x CM6 

a-x\b-y=(a\b)-(x\\y) CM7 

(x + y)\z = x\z + y\z CM8 

x\(y + z)=x\y + x\z CM9 



d H (a) = a Dl 

d„(a) = 8 \fa£H D2 

d H (x + y)=d H (x)+d H (y) D3 

d H (x ■ y) = d H (x) ■ d H {y) D4 



a | b — b | a 

(a | b) | c = a | (b | c) 

5|a = <5 



CI 



C2 



C3 



— P + Q behaves either as P or as Q, but not both; 

— P ■ Q first behaves as P and on successful termination of P it next behaves 
as Q; 

— P || Q behaves as the process that proceeds with P and Q in parallel; 

— P []_ Q behaves the same as P \\ Q, except that it starts with performing an 
action of P; 

— P \ Q behaves the same as P || Q, except that it starts with performing an 
action of P and an action of Q synchronously; 

— d{j{P) behaves the same as P, except that actions from H are blocked. 

We write X^iei wnere % = {h, ■ ■ ■ , in} and P il , . . . , P in are terms of sort 
P, for Pj 1 + . . . + Pj„ • The convention is that X)iei ^» stands for (5 if X = 0. 

The axioms of ACP are the axioms given in Table 1. CM2-CM3, CM5-CM7, 
C1-C3 and D1-D4 are actually axiom schemas in which a, b and c stand for 
arbitrary constants of sort P (keep in mind that also the deadlock constant 
belongs to the constants of sort P) and H stands for an arbitrary subset of A. 

For the main models of ACP, the reader is referred to [3]. 

3 Guarded Recursion 

In this section, we shortly review guarded recursion in the setting of ACP. 

Not all processes in a model of ACP have to be interpretations of closed terms 
of sort P. Those processes may be definable over ACP. A process in some model 
of ACP is definable over ACP if there exists a guarded recursive specification 
over ACP of which that process is the unique solution. 

A recursive specification over ACP is a set of recursion equations {X = tx \ 
X e V} where V is a set of variables of sort P and each tx is a term of sort 
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Table 2. Axioms for recursion 



(X\E) = (tx\E) \fX = t x eE RDP 
E^X = (X\E) ifXeV(B) RSP 



P from the language of ACP that only contains variables from V. Let £ be a 
recursive specification over ACP. Then we write V(E) for the set of all variables 
that occur on the left-hand side of an equation in E. A solution of a recursive 
specification E is a set of processes (in some model of ACP) {px \ X e V(E)} 
such that the equations of E hold if, for all X £ V(-E), X stands for px- 

Let f be a term of sort P from the language of ACP containing a variable 
X. Then an occurrence of X in t is guarded if t has a subterm of the form 
a ■ t' where a <E A and t' is a term containing this occurrence of X. Let E be a 
recursive specification over ACP. Then E is a guarded recursive specification if, 
in each equation X = tx € E, all occurrences of variables in tx are guarded or 
tx can be rewritten to such a term using the axioms of ACP in either direction 
and/or the equations in E except the equation X = tx from left to right. We 
are only interested in models of ACP in which guarded recursive specifications 
have unique solutions. 

For each guarded recursive specification E and each variable X E V(E), we 
introduce a constant of sort P standing for the unique solution of E for X. This 
constant is denoted by (X\E). We often write X for (X\E) if E is clear from 
the context. In such cases, it should also be clear from the context that we use 
X as a constant. 

The additional axioms for recursion are given in Table 2. In this table, we 
write (tx\E) for tx with, for all Y G V(E), all occurrences of Y in tx replaced 
by (Y\E). Both RDP and RSP are axiom schemas. Side conditions are added 
to restrict the variables, terms and guarded recursive specifications for which 
X, tx and E stand. The equations (X\E) = (tx\E) for a fixed E express that 
the constants (X\E) make up a solution of E. The conditional equations E =>• 
X = (X\E) express that this solution is the only one. RDP and RSP were first 
formulated in [6]. 

We write ACP+REC for ACP extended with the constants standing for the 
unique solutions of guarded recursive specifications and the axioms RDP and 
RSP. 

4 ACP for Cooperating Components 

In this paper, we consider process components that cooperate by making and 
granting requests to carry out methods. The processes that are taken as the 
behaviours of these components are not made up of arbitrary actions. In this 
section, we introduce the instance of ACP that is restricted to the intended 
actions. This instance is called ACPcc (ACP for Cooperating Components). 

Three kinds of actions are distinguished in ACPcc : active actions, passive 
actions and neutral actions. The active actions may be viewed as requests to 
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carry out some method and the passive actions may be viewed as grants of 
requests to carry out some method. Making a request to carry out some method 
and granting that request at the same time results in carrying out the method 
concerned. The initiative in carrying out the method is considered to be taken 
by the process making the request. This explains why the request is called an 
active action and its grant is called a passive action. The neutral actions may be 
viewed as the results of making a request to carry out some method and granting 
that request at the same time. A process that can perform active actions only 
behaves as a client and a process that can perform passive actions only behaves 
as a server. 

In ACPcc j it is assumed that a fixed but arbitrary finite set C of loci and a 
fixed but arbitrary finite set M of methods have been given. A locus is a place 
at which processes reside. Intuitively, a process resides at a locus if it is capable 
of performing actions in that locus. The same process may reside at different 
loci at once. Moreover, different processes may reside at the same locus at once. 
Therefore, we do not necessarily refer to a unique process if we refer to a process 
residing at a given locus. 

In ACPcc 7 the set of actions A consists of: 

- for each f,g <G C and meM, the active action f.m@g; 

- for each f,g £ C and meM, the passive action ~/.m@g; 

- for each /, g e C and meM, the neutral action f.m@g. 

Intuitively, these actions can be explained as follows: 

- f.m@g is the action by which a process residing at locus g requests a process 
residing at locus / to carry out method m; 

g.m@f is the action by which a process residing at locus / grants a request 

of a process residing at locus g to carry out method m; 

- f.m@g is the result of performing f.m@g and ~g.m@f at the same time. 

In ACPcc j the communication function | : As x As — ► As is such that for all 
/, je£ and m e M: 

- f.m@g | ~g. m @f = f.m@g; 

- f.m@g | a = S for all a e A \ {~ 5 .m@/}; 

- a | ~g.m@f = S for all a € A \ {f.m@g}; 

- f.m@g | a = S for all a E A. 

The receive actions and send actions commonly used for handshaking com- 
munication of data, see e.g. [3], can be viewed as requests to carry out some 
communication method and grants of such requests, respectively. However, the 
current set-up requires that it is made explicit what are the loci at which the 
sender and receiver involved reside. 

5 Integers 

In this section, we present an algebraic theory about integers which will be used 
in later sections. The presented theory is called INT. 
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Table 3. Axioms of INT 



+ fc = k 



INTl 



-fc + fc = 

(k + I) + n = k + (I + n) 
k+l=l+k 



INT2 



INT3 



INT4 



sg(0) = 

sg(l) = 1 

sg(-l) = -l 

sg(fe + sg(fe)) = sg(fc) 



SGI 



SG2 



SG3 



SG4 



INT has one sort: the sort Z of integers. To build terms of sort Z, INT has 
the following constants and operators: 

— the constant : Z; 

— the constant 1 : Z; 

— the binary addition operator + :ZxZ^Z; 

— the unary additive inverse operator — : Z — > Z; 

— the unary signum operator sg : Z — > Z. 

Terms of sort Z are built as usual for a one-sorted signature. Throughout the 
paper, we assume that there are infinitely many variables of sort Z, including k, 
I and n. 

As usual, we use infix notation for the binary operator + and prefix notation 
for the unary operator — . The following additional precedence convention is used 
to reduce the need for parentheses. The operator + binds weaker than the 
operator — . 

The constants and operators of INT are adopted from integer arithmetic 
and need no further explanation. The operator sg is useful where a distinction 
between positive integers, negative integers and zero must be made. 

The axioms of INT are the axioms given in Table 3. Axioms INT1-INT4 are 
the axioms of a commutative group. Axioms SG1-SG4 are the defining axioms 
of sg. 

The initial model of INT is considered the standard model of INT. 

6 Interface Group for Cooperating Components 

In this section, we present an algebraic theory about interfaces. The presented 
theory is called IFGcc • In Section 7, we will consider process components which 
are taken as pairs of an interface and a process that is made up of active ac- 
tions, passive actions, and neutral actions. Interfaces are built from two kinds of 
interface elements. 

The set of interface elements consists of: 
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— for each f,g € £ and m E A4, the active interface element f.m@g; 

— for each f,g G C and m e M, the passive interface element ~f.m@g. 

We write TTE for the set of all interface elements. 

Obviously, ITS is a proper subset of A. The interface elements are those 
actions that are allowed to occur in interfaces. The interface part of a process 
component consists of the active and passive actions that the process part of 
that process component may be capable of performing. The interface elements 
f.m@g and ~g.m@f are considered each other inverses. That is, if both occur 
in an interface, they cancel out. 

Active interface elements are usually included in the interface of a process 
component to couch that it expects from the environment in which it is put the 
ability to grant certain requests. Passive interface elements are usually included 
in the interface of a process component to couch that it promises the environment 
in which it is put the ability to make certain requests. The environment in which 
the process component is put may be composed of different process components. 
To couch that it expects from a number of process components an ability or 
it promises a number of process components an ability, the relevant interface 
element is included the number of times concerned in the interface of the process 
component. An example of the need for multiple occurrences of interface elements 
in interfaces of process components is found in Section 1 1 . 

The distinction between active interface elements and passive interface el- 
ements made here is a case of distinction between expectations and promises 
because interface elements are actions that process components may be capable 
of performing. If the interface elements would be actions that process compo- 
nents must be capable of performing, it would be a case of distinction between 
requirements and provisions. 

Interfaces can be considered multisets over the set of all active interface ele- 
ments in which multiplicities of elements may be negative too, since occurrences 
of passive interface elements in an interface can be counted as negative occur- 
rences of their inverses. 

IFGcc has the sort Z from INT and in addition the sort I of interfaces. To 
build terms of sort I, IFGcc has the following constants and operators: 

— the empty interface constant : 1; 

— for each e € TTE, the interface element constant e : I; 

— the binary interface combination operator + : I x I — > I; 

— the unary interface inversion operator — : I — ► I. 

To build terms of sort Z, IFGcc has the constants and operators of INT and in 
addition the following operator: 

— for each /, g e C and m £ A4, the unary multiplicity operator #y m <a 3 : 
1 Z. 

Terms of the sorts I and Z are built as usual for a many-sorted signature (see 
e.g. [17,16]). Throughout the paper, we assume that there are infinitely many 
variables of sort I, including i, j and h. 
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Table 4. Axioms of IFGcc 



+ i = i IFG1 
-i + i = IFG2 
(i + j) + h = i + (j + h) IFG3 

1 + j=j + i IFG4 
f.m@g + ~g.m@f = IFG5 

#/W ) = Ml 
# / . mQg (/'.m'%')=0 if///'Vm/m'v S / 9 ' M2 

#/.mO fl (/■"»©!?) = 1 M 3 

# /.m®g (-*) = - # /.m6 9 W M4 

# f.m&g (* + J') = #/.m<3> 9 W + # /.m®g 0') M5 



We use infix notation for the binary operator + and prefix notation for the 
unary operator — . The following precedence convention is used to reduce the 
need for parentheses. The operator + binds weaker than the operator — . 

Let I and J be closed terms of sort I, /, g e £, and m e A4. Viewing 
interfaces as multisets with multiplicities from Z, the constants and operators of 
IFGcc to build terms of sort I can be explained as follows: 

— is the interface in which the multiplicity of each active interface element is 

0; 

— f.m@g is the interface in which the multiplicity of f.m@g is 1 and the 
multiplicity of each other active interface element is 0; 

— ~/.m@<7 is the interface in which the multiplicity of g.m@f is —1 and the 
multiplicity of each other active interface element is 0; 

— 1+ J is the interface in which the multiplicity of each active interface element 
is the addition of its multiplicities in I and J; 

— —I is the interface in which the multiplicity of each active interface element 
is the additive inverse of its multiplicity in i\ 

The operators #/. TO @ 9 , one for each f,g e C and m e M, can simply be ex- 
plained as follows: 

— #f. m @ g {I) is the multiplicity of f.m@g in /. 

We write J2n=i where 1 = . . . , i n } and I il , . . . , I in are terms of sort I, 
for li x + . . . + Ii n . The convention is that ^2 ieI 1% stands for if I = 0. 

The axioms of IFGcc are the axioms of INT and the axioms given in Ta- 
ble 4. IFG5 and M1-M5 are actually axiom schemas in which / and g stand for 
arbitrary members of C and m stands for an arbitrary member of A4. Axioms 
IFG1-IFG4 are the axioms of a commutative group and axiom IFG5, called the 
reflection law, states that ~g.m@f is taken as the inverse of f.m@g. Axioms 
M1-M5 are the defining axioms of #/. m @ s - 
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The initial model of IFGcc is considered the standard model of IFGcc ■ 
Other interface groups for cooperating components are conceivable. For ex- 
ample, adding i + i = 0, or equivalently i = —i, to the axioms of IFGcc yields 
an interface group with torsion. This addition means that no distinction is made 
between an active interface element and the passive interface clement that is 
its inverse. This is not unfamiliar. IFGcc without torsion goes with the observ- 
able actions of CCS [14], whereas IFGcc with torsion goes with the events of 
CSP [11]. 

7 Algebra of Cooperating Components 

In this section, we take up the extension of ACPcc to a theory about process 
components. The result is called ACC (Algebra of Cooperating Components). 

In the preceding sections, we have already been gone into some of the general 
ideas that underlie the design of this extension. Those ideas, which concern the 
interfaces and behaviours of process components, can be summarized as follows: 

— behaviours of process components are processes made up of three kinds of 
actions: active actions, passive actions and neutral actions; 

— for each active action, there is a unique passive action with which it can be 
performed synchronously, and vice versa; 

— interfaces of process components consist of active and passive actions that 
the process components may be capable of performing; 

— looked upon as an interface element, each active action has the passive action 
with which it can be performed synchronously as its inverse, and vice versa; 

— in interfaces of process components, there may be elements with multiple 
occurrences. 

The remaining general ideas concern the process components by themselves: 

— if a process is turned into a process component by adding an interface to 
it, the process is restricted by the interface with respect to the active and 
passive actions that it can perform to force that the behaviour of the process 
component complies with its interface; 

— if two process components are composed, the interface of the composed pro- 
cess component is the combination of the interfaces of the two process com- 
ponents and the behaviour of the composed process component is the parallel 
composition of the behaviours of the two process components restricted by 
the combination of the interfaces of the two process components. 

The point of view on the composition of process components implies that, 
if all occurrences of an (active or passive) action in the interface of a process 
component are cancelled out by composition with another process component, 
this action is blocked in the behaviour of the composition of these process com- 
ponents. The blocking of the action takes place even if its inverse is not included 
in the actions that make up the behaviour of the other process component. It is 
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possible that the inverse is not included because the interfaces concern expecta- 
tions and promises instead of requirements and provisions (see also Section 6). 
The way in which is dealt with this possibility can be explained as follows: (i) if a 
promised ability to make a request is not provided, making the request is blocked 
and (ii) if an expected ability to grant a request is not required, granting the 
request is blocked. 

ACC has the sort P from ACPcc> the sorts I and Z from IFGcc, and in 
addition the sort C of components. To build terms of sort C, ACC has the 
following operators: 

— the binary basic component operator c:IxP^C; 

— the binary component composition operator || : C x C — > C. 

To build terms of sort P, ACC has the constants and operators of ACPqc an d 
in addition the following operator: 

— the binary interface compliant encapsulation operator d : I x P — > P. 

To build terms of sort I, ACC has the constants and operators of IFGcc to build 
terms of sort I. To build terms of sort Z, ACC has the constants and operators 
of IFGcc to build terms of sort Z. 

Terms of the different sorts are built as usual for a many-sorted signature. 
Throughout the paper, we assume that there arc infinitely many variables of 
sort C, including u, v, u' and v'. 

We use infix notation for the binary operator ||. We write di(P), where I is 
a term of sort I and P is a term of sort P, for d(I, P). 

Let C and D be closed terms of sort C, P be a closed term of sort P, and I be 
a closed term of sort I. Viewing interfaces as multisets with multiplicities from 
Z, the operators of ACC to build terms of sort C can be explained as follows: 

— c(I, P) is the process component of which the interface is I and the behaviour 
is P, except that active actions of which the multiplicity in I is not positive 
and passive actions with an inverse of which the multiplicity in I is not 
negative are blocked; 

— C || D, is the process component of which the interface is the combination of 
the interfaces of C and D and the behaviour is the parallel composition of the 
behaviours of C and D, except that active actions of which the multiplicity 
in the combination of the interfaces of C and D is not positive and passive 
actions with an inverse of which the multiplicity in the combination of the 
interfaces of C and D is not negative are blocked. 

The operator d can be explained as follows: 

— di(P) behaves the same as P, except that active actions of which the mul- 
tiplicity in I is not positive and passive actions with an inverse of which the 
multiplicity in I is not negative are blocked. 

The operator d is an auxiliary operator used in the axioms concerning process 
components. 
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Table 5. Axioms of ACC 



c(i, x) — c(i, di(x)) 


CCl 


c(i,x) \\c(j,y) =c(i+j,di(x) \\dj(y)) 


CC2 


Sg(#/. m o 9 (0) = l=>di{f-m@9) = f-m@g 


El 




E2 


sg(#/. mOfl (0) = "I => di(f-m@9) = 8 


E3 


sg(# 9 . m@/ ») = -l=>di(~f-m@g) = ~f.m@g 


E4 


sg(# s . mQ/ «) = => d i (~f.m@g) = 5 


E5 


sg(# s . mQ/ «) = 1 =f M~f-m@g) = 5 


E6 


di(f-m@g) = f-m@g 


E7 


di{5) = S 


E8 


di(x + y) = di(x) + di(y) 


E9 


di(x ■ y) = • 


ElO 



The axioms of ACC are the axioms of ACP, the axioms of IFGcc, and the 
axioms given in Table 5. E1-E7 are actually axiom schemas in which / and 
g stand for arbitrary members of C and m stands for an arbitrary member 
of M.. Axioms CCl and CC2 are axioms concerning process components and 
axioms E1-E10 are the defining axioms of the auxiliary operator d. Together 
they formalize the intuition about process components given above in a direct 
way. It is only because they are used in axioms E1-E6 that the multiplicity 
operators #f. m @ g are included in the theory IFGcc and the signum operator sg 
is included in the theory INT. 

Guarded recursion can be added to ACC as it is added to ACP in Section 3. 
We write ACC+REC for ACC extended with the constants standing for the 
unique solutions of guarded recursive specifications and the axioms RDP and 
RSP. 

In Section 13, we will construct a model of ACC+REC using a notion of 
bisimilarity for process components. 

8 On the Associativity of Component Composition 

In this section, we show that component composition is in general not associative 
and couch in a special axiom that component composition is associative when a 
certain condition on its operands is fulfilled. 

Let /, g e C, and let to, to', to" e M be such that to' ^ to", and take 

d = c(~g.m@f + g.m'@f, ~g.m@f ■ g.m'@f) , 
C 2 = c(/.to%, f.m@g) , 

C 3 = c(~ 5 .to@/ + g.m"@f, ~g.m@f ■ g.m"@f) . 
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Table 6. Associativity axiom for component composition 



/\f,geC,meM(#f.rn® g (i+j + h) = V 

= V # f . m@a {j) = V # f . mQg (h) = V 
sg(#/. m ® g W) = sg(#/. m@9 (j)) A sg(# / m0g (j)) = sg{# f m@g {h))) => 
(c(t, x) K c(j, »)) I! c(ft, *) = c(i, x) || (c(j, y) || c(ft, *)) 



We easily derive from the axioms of ACC that 
(Ci || C2) || C3 = 

c(g.m'@f, f.m@g-g.m'@f)\\C 3 = 

c{~g.m@f + g.m'@f + g.m"@f, f.m@g ■ g.m'@f ■ S) 

and 

Ci II (C2 || C3) = 

Ci || c{g.m"@f, f.m@g ■ g.m"@f) = 

c(~g.m@/ + g.m'@f + g.m"©f, f.m@g ■ g.m"@f ■ S) . 

Hence, we have that (Ci || C 2 ) || C 3 7^ Ci || (C 2 \\ C 3 ). 

The associativity axiom for component composition is given in Table 6. It is 
not known to us whether the condition in this axiom is a necessary condition for 
associativity of component composition. 

Below, we will sketch the justification of the associativity axiom. For that 
purpose, we first shortly introduce the approximation induction principle, which 
has been introduced before in the setting of ACP. 

Guarded recursion gives rise to infinite processes. In ACC+REC, closed terms 
of sort P that denote the same infinite process cannot always be proved equal by 
means of the axioms of ACC+REC. To remedy this, we can add the approxima- 
tion induction principle to ACC+REC. The approximation induction principle, 
AIP in short, was first formulated in the setting of ACP in [6]. It formalized 
the idea that two processes are identical if their approximations up to any finite 
depth are identical. The approximation up to depth n of a process behaves the 
same as that process, except that it cannot perform any further action after n ac- 
tions have been performed. Approximation up to depth n is phrased in terms of 
the unary projection operator 7r„. For a comprehensive treatment of projections 
and AIP, the reader is referred to [3] . 

We proceed with the justification of the associativity axiom given in Table 6. 
It can be proved that all closed substitution instances of this axiom are deriv- 
able from the axioms of ACC+REC, the axioms for the projection operators and 
AIP. Moreover, the model Sacc+rec of ACC+REC that will be constructed 
in Section 13 can be expanded with operations for the projection operators such 
that the axioms for the projection operators and AIP hold in the expansion. Be- 
cause all elements of the sets associated with the sorts P, I and C in Sacc+rec 
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are interpretations of closed terms, it follows that the associativity axiom holds 
in 2Jacc+rec- 

9 Closed Systems and Interfaces of Process Components 

In this short section, we discuss the connection between closed systems and 
empty interfaces. The intuition is that a system is a closed system if the actions 
that make up its behaviour include neither active actions nor passive actions. 

We first shortly introduce the alphabet operator, which has been introduced 
before in the setting of ACP. 

The set of actions that can be performed by a process is called the alphabet 
of the process. We can add the unary alphabet operator a to ACC+REC to 
extract the alphabet from a process. The alphabet operator was first added to 
ACP+REC in [1]. To deal with infinite processes, the projection operators occur 
in the axioms for this operator. For a comprehensive treatment of alphabets, the 
reader is referred to [3]. 

Let J be a closed term of sort I and P be a closed term of sort P. Then 
c(I,P) is a closed system if a(di(P)) C {f.m@g \ f,g £ £,m £ M}. 

It can be proved that, for each closed term / of sort I and closed term P of 
sort P, the following is derivable from the axioms of ACC+REC, the axioms for 
the alphabet operator, the axioms for the projection operators and AIP: 

/ = ^> c(I, P) is a closed system . 

It is generally undecidable whether c(I, P) is a closed system. However, it is 
decidablc whether 1 = 0. This illustrates the usefulness combining a process 
with an interface in the way presented in this paper. 

10 An Example 

In this section, we illustrate the use of ACC by means of an example concerning 
buffers with capacity one. We assume a finite set V of data with e e P and, 
for each d G V, a method Cd for communicating datum d. We take the element 
c e V for an improper datum. 

We consider the three buffer processes Bf, B g , and Bh that are defined by 
the guarded recursion equations 

B f= £ ~s.c d @f-(g.c d @f + g.c e @f)-B f , 

d£T>\{c} 

B 9= ~f-°d®9 ■ (h-c d @g + h.c c @g) ■ B g , 

d£T>\{c} 

B h = Y ~9-Cd@h ■ (r.c d @h + r.c c @h) ■ B h , 
dev\{ c } 

respectively. The processes Bf,B g and Bh always reside at the loci /, g and 
h, respectively. Bf is able to pass data from a process residing at locus s to 
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a process residing at locus g, B g is able to pass data from a process residing 
at locus / to a process residing at locus h, and Bh is able to pass data from 
a process residing at locus g to a process residing at locus r. Bf, B g and Bh 
are faulty in the sense that they may deliver an improper datum instead of the 
datum to be delivered. 

We turn these three buffer processes into process components by adding 
interfaces to them. To be exact, we turn the processes Bf, B gi and Bh into the 
process components c(If,Bf), c(I g ,B g ), and c(Ih,Bh), where 



If 


= E - 


^s.c d @f+Y,9-Cd@f , 




dev\{c} 


dev 


h 


- E - 


^f.c d @g+J2 h - c d@9 , 




dev\{c} 


dev 


h 


= E - 


^g.c d @h + ^2r.c d @h . 




deV\{e} 


dev 



We have a look at the component composition c(7/, Bf)\\ (c(I g , B g )\\c(Ih, Bh)) 
- which equals (c(7/,B/) || c(I g ,B g )) \\ c(Ih,Bh) by the associativity axiom for 
component composition. It follows from axioms CC1 and CC2 that 

c(I f ,B f )\\(c(I g ,B g nc(I h ,B h )) 

= c(l f +I g +I h ,d If+Ig+Ih (d If (B f ) || d Ig+Ih (d Ig (B g ) || d Ih (Bh)))) . 

Moreover, it follows from axioms IFG1-IFG5 that 

If+I g + I h = ~s.c d @f + g.c c @f + h.c c @g+Y,r.c d @h 

dev\{c} dev 

and from axioms INT1-INT4, SG1-SG4, IFG5, M1-M5, E1-E10, and RSP that 

d If+lL+Ih (di f (Bf) II 8 Ig+Ih (d Ig (B g ) || d Ih (B h ))) 
= 9i f+ i g+ i h (B f || B g || B h ) ■ 

Hence, we have by axiom CC1 that 

c(I f ,B f )\\(c(I g ,B g )\\c(I h ,B h )) 



= c 



~s.c d @f + g.c c @f + h.c c @g + ^r.Q@/i, B f || B g \\ B h 
\dev\{c} dev / 



It can further be shown by means of the axioms of ACP+REC that the behaviour 
of c(If,Bf) || (c(Ig,B g ) || c(Ih,Bhj) is essentially a buffer with capacity three. 
This buffer process, which resides alternately at the loci /, g and h, is able to 
pass data from a process residing at locus s to a process residing at locus r. It is 
faulty in the sense that it may deliver an improper datum instead of the datum 
to be delivered. Moreover, the improper datum may be delivered at the locus g 
or the locus h instead of the locus r. 
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The process component c(If,Bf) \\ (c(I g ,B g ) || c(Ih,Bh)) does not have an 
empty interface. It follows from axioms IFG1-IFG5 that composing it with a 
process component whose interface is 

f-c d @s + ~f.c e @g + ~g.c c @h + ^ ~h.c d @r 
dev\{c} dev 

would result in an empty interface. This shows that an empty interface requires 
composition with a process component that promises to handle the delivery of 
an improper datum at the loci g, h and r. 

11 Another Example 

In this section, we illustrate the use of ACC by means of an example in which a 
single buffer with capacity one is used to pass data between three components. 
We assume a finite set V of data, a function F : V — > V and, for each del?, 
a method c d for communicating datum d. We also assume methods wa\, wa,2, 
wa 3 , sli, sl 2 and sl 3 for controlling the cooperation of the three components that 
share the buffer. 

We consider the processes Pi, P 2 an d P3 that are defined by the guarded 
recursion equations 



Pi = 




a/- 


£- 






~h.sh@f> 


Pi , 


















p 2 = > 


^h.wa2 l i 


a/- 


E- 




■ g-CF(dfi 


if ■ ~h.sl 2 t 


i/-p 2 


















p 3 = 




a/- 


E^ 




■ r.c d @f ■ 


~h.sl 3 @f- 


p 3 , 



















respectively. All three processes always reside at locus /. Pi is able to pass data 
from a process residing at locus s to a process residing at locus g, P2 is able to 
apply an operation to data hold by a process residing at locus g, and P3 is able 
to pass data from a process residing at locus g to a process residing at locus 
r. The processes Pi, P2 and P3 are called the entry process, the main process 
and the exit process, respectively. We also consider the buffer process B and the 
control process C defined by the guarded recursion equations 

B=J2~f.c d @g-f.c d @g-B, 
dev 

C = J2f.w ai @h ■ f.sh@h ■ f.wa 2 @h ■ f.sl 2 @h ■ f.wa 3 @h ■ f.sl 3 @h ■ C , 
dev 

respectively. The processes B and C always reside at the loci g and h, respec- 
tively. B is able to pass data from a process residing at locus / to a process 
residing at locus / and C is able to control the cooperation of three processes 
residing at locus / such that they take turns in doing a number of steps. 
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We turn all these processes into process components by adding interfaces to 
them. To be exact, we turn Pi, P 2 , P 3 , B and C into the process components 
c(/i, Pi), c(7 2 , P 2 ), c(7 3 , P 3 ), c(J, B) and c(77, C), where 



71 


= (~ s - c d@f + 9-Cd@f) + ~h.w ai @f + r 


~h.8h@f , 




dev 




h 


= £ (~g-c d @f + g-c d @f) + ~h.wa 2 @f + . 


~h.8l 2 @f , 




dev 




h 


= ^2 (~9-Cd@f + r.c d @f) + ~h.wa 3 @f + r 


~h.8l 3 @f , 




dev 




J 


= (~f-c<i@g + ~f-c d @g + f.c d @g + f.<* 


*9), 




dev 




H 


= f.wa^h + f.wa 2 @h + f.wa 3 @h + f.shi 


a/i + f.sl 2 @h + f.sl 3 @h 



Notice that g.c d @f occurs once in both I\ and h and ~g.c d @f occurs once in 
both I 2 and ^3, whereas their inverses occur twice in J. 

We have a look at c(/i,Pi) || (c(7 2 ,P 2 ) || (c(7 3 ,P 3 ) || (c(J,P) || c(H,C)))). 
It follows from the axioms of ACC+REC that 

c(I 1 ,P 1 ) || (c(7 2 ,P 2 ) || (c(7 3 ,P 3 ) || (c(J,B) || c(77,C)))) 

= c ( (~s-cd@f + r.c d @f), P || P 2 || P 3 II B || C J . 
\dev J 

This would not be case if ~ f.c d @g and f.c d @g would occur only once in J. The 
behaviour of c(7 l5 P^ \\ (c(7 2 , P 2 ) || (c(7 3 , P 3 ) || (c(J, B) \\ c(77, C)))) is essentially 
a process that is able to receive data from a process residing at locus s, apply 
F to the received data, and send the results to a process residing at locus r. 
Each cycle of the process is accomplished as follows: first P\ receives a datum 
and puts it in buffer B, then P 2 gets the datum from buffer B, applies F to it 
and put the result back in buffer B, and finally P 3 gets the result from buffer 
B and sends the result. C controls that Pi, P 2 and P 3 do not start their part of 
the cycle prematurely. 

12 Bisimilarity of Process Components 

In this section, we give a structural operational semantics for ACC+REC and 
define a notion of bisimilarity based on it. This notion of bisimilarity will be 
used in Section 13 to construct a model of ACC+REC. 

Henceforth, we will write 7s, where S € {P,I, C}, for the set of all closed 
terms of sort S from the language of ACC+REC. Moreover, we will write 7^ NT 
for the set of all closed terms of sort Z from the language of INT. 

The following relations are the primary relations used in the structural op- 
erational semantics of ACC+REC: 

— a unary relation A p sj C 7p , for each a e A; 

— a binary relation A p C 7p x 7p, for each a e A; 
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— a unary relation f.m@g^ N C 7J, for each f,geC,meM and N G T^ NT ; 

— a binary relation hasIF C 7c x 7J; 

— a unary relation -\ ^/ CTc, for each a€i; 

— a binary relation -\ C 7c x 7c, for each oe A 

We write P A p ^ instead of P G A pV /, P A p P' instead of (P,P') G A p , 
/.m% E w I instead of 7 € f.m@gE N , C hasIF I instead of (C,I) G hasIF, 
instead of C e A \/, and C A. C" instead of (C, C") G A- The relations 
can be explained as follows: 

— P A ^/ : process P is capable of first performing a and then terminating 
successfully; 

— P A P': process P is capable of first performing a and then proceeding as 
process P'; 

— f.m@g E w P f.m@g occurs TV times in interface I; 

— C hasIF P the interface of component C is I; 

— C A ^/: component C is capable of first performing a and then terminating 
successfully; 

— C A c C': component C is capable of first performing a and then proceeding 
as component C . 

The following relations are auxiliary relations used in the structural opera- 
tional semantics of ACC+REC: 

— a unary relation /.TO@gE + C 7[, for each f,g G C and to G A4; 

— a unary relation f.m@g^~ C 7i, for each /, G £ and m G M; 

— a unary relation f.m@g E + IF C 7c, for each f,g G C and to G .A4; 

— a unary relation f.m@g^~ IF C 7c, for each f,g G C and m G M. 

We write f.m@g E + 7 and f.m@g E~ 7 instead of I G f.m@g^ + and 7 G 
f.m@gE~, respectively. We write f.m@g E + IF(C) and f.m@g E~IF(C) instead 
of C G f.m@gEi + IF and C G f.m@gE~ IF, respectively. The relations can be 
explained as follows: 

— f.m@g E + P f.m@g occurs a positive number of times in interface /; 

— f.m@g E~ I: f.m@g occurs a negative number of times in interface J; 

— f.m@g E + IF(C): f.m@g occurs a positive number of times in the interface 
of component C; 

— f.m@g E~ IF(C): ,f.m@g occurs a negative number of times in the interface 
of component C. 

The auxiliary relations are for convenience only. 

The structural operational semantics of ACC+REC is described by the rules 
given in Tables 7 and 8. 

The following uniqueness property of the relations f.m@gE N will be used 
in Section 13 to construct a model of ACC+REC. 

Lemma 1. Let f,g G C and m G M. Then for all I G T\ 7 there exists an 
N G 7^ NT such that for all N' G 7^ NT with f.m@g E N> I we have that N = N' 
holds in the initial model of INT. 



18 



Table 7. Rules for operational semantics of ACP+REC 



a -»pV 

a, a , a , a , 



x + y — W i + !/- , pV z + y^pir x + y -> p y 

X *p 'X *p X 



a a , 

x-y ^ p y x-y ^ p x - y 



a , a / a t at 

i^,V y ^pV x ^ p x y^> f y 



x\\y\y '£\\y\x x\\y\x'\\y x\\y\x\\y' 

a i b i a i b , 

x — *p v i y ~~ *p v . , x ^p v > y ^p y . , 

a | b = c a \ b = c 

x\\y^pV x \\y\y' 

a i b , a , b , 

^p^S^pV , , x ^ p x , y -» p y 

a o = c a o = c 

x || y -> p x' 

a , a i 

X *p yj X *p X 



x\\_y\y x \\_y A p x' || y 

a , b , a , b I 

* -* P v> y -*p v , , x -w , s/ 2/ , , 

a o = c a o = c 

^ I J/ — *p V x\y-* f y 

a , b , a , b , 

x ^ p x', y ^ p V , x -» P x , » -»p 2/ , 

a o = c a o = c 

i x' || y 



l c / 1 I c / II / 

X I 3/ ^ P x I | j/ -> F ~ " " 



X *p \/ 3? -J- 



(tx\E)W {t x \E)\x' 

-— X = t x &E X = t x eE 

(X\E)W {X\E)\x> 



Proof. Straightforward, by induction on the structure of I. □ 

A bisimulation B is a triple of symmetric binary relations Bp C 7p x 7p, 
-Bi C 7i x 7i, and B c C T c x T c such that: 

- if B P (P U P 2 ) and A A p> /, then P 2 A pA / ; 

- if Bp{P l ,P 2 ) and P x A p pf, then there exists aP^T P such that P 2 \ P^ 
andB P (P[,i^); 

- if Bi(h,I 2 ) and /.m<% E Wl Ji, then there exists an iV 2 e 7jf T such that 
f.m@g e" 2 7 2 and ATi = A^; 

- if Bc(C\, C 2 ) and Ci hasIF 7i, then there exists an I 2 € 7J such that C 2 hasIF 
7 2 andSi(/i,I 2 ); 

- if B C (C U C 2 ) and Ci A V, then C 2 

- if Bc(Ci, C 2 ) and Ci -\ C[, then there exists a C 2 S 7c such that C 2 A c C 2 
and B c (C;,C 2 ). 
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Table 8. Additional rules for operational semantics of ACC+REC 



f^f'Vm^m'Vg^g' 



f.m@g E 1 f.m@g }.m@g E° f'.m'@g' 

f.m&g E -1 ~g.m&f f.m&g E° ~g'.m'@f 

f.m&g E fe i f.m&g E fe i, f.m&g e' j 
f.m&g E° f.m&g E~ fc -i f.m@g B k+l i + j 

u hasIF i, v hasIF j 
c(i, x) has\F i u \\ v hasIF i + j 
f.m&g E fe i, sg(fe) = 1 f.m&g E fe i, sg(fc) = -1 

f.m&g E + « f.m&g E~ i 

u hasIF j, f.m&g E + i u hasIF i, f.m&g E — i 



/.m% E + IF(u) /.m@g E~ IF(u) 

f.m@g . i . ~f.m@g . f.m@g 

x > pX /. f.rn&g E + t > p V> g.m&f B « £ > P V 



,. . /.m@ 9 . ,. . ~ f.m&g f.m&g 
, r ^ . L • ~ f.m&g , . f.m&g 

x , f.m&g E^ t x > p x , g.m&f E « £ > P a; 



c(i,a;) > c c(j,x') c(i,i:) > c c(t,x') c(i,:r) > c c(i,x') 

u ^^ )/ . m@9E +| F(u ||„) u ^^ cV / i9 . m@/E -|F(„||,;) „i^i cv / 



i f.m&g n ^f.m&g f.m&g 

U \\ V > c V U || V > c t) t( || V >c V 

f.m&g , i . n . ~ f.m&g , . .. . f.m&g . 

v > c v, f.m&g E + IF(u || v) v > c V, g.m&f E IF(u || v) v > cV / 



n f.m&g I, ~f.m&g M f.m&g 

U \\ V > c W U || V > c U U || V > c U 

f.m&g , , . M . ~ f.m&g , . .. . f.m&g , 

u > c u , f.m&g E T IF(u || v) u > c u , g.m&f E IF(u || t>) « > c u 



, ~f.m&g , M f-m&g 
U V > c It 1) It D > c u' V 



f.m&g , i . .. . ~ f.m&g , . .. . f.m@g , 

(i > c (i . f.ni&g E + IF(« || i>) v > c v , g.m&f E IF(-u || v) v > c v 



II f-m&g .. , M ~f.m&g .. , f-m&g 

U || V > c U || v' u\\v > c u\\v' u\\v U || v' 

a . b , a , b i 

a | 6 = c a | 6 = c 

w || v -^cV u II 11 -^*c v' 

aib, a / b / 

U — > c U , V — > c V U — » c U , f — *c V 

a | b = c a I b = c 



M D — » c U 



f.m&g L ~ f-m&g . . f.m&g 

x > p V, f.mWg E^ t > P Vi g.m&f E « £ > P V 



a / \ f-m&g . ~a I \ ~/-n»Og , . . f-m&g 

f.m&g , . l . ~ f-m&g , . f-m&g 

> p x . f.rnag E ?. x > p x' , g.m&f E i x > p x 
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Let S £ {P,I, C}, and let t\,t 2 € Ts- Then t\ and t 2 are bisimilar, written 
t\ t±t 2 , if there exists a bisimulation B such that Bs{t\,t 2 ). 

The following congruence property of bisimilarity will be used in Section 13 
to construct a model of ACC+REC. 

Theorem 1 (Congruence). Bisimilarity is a congruence with respect to the 
operators of ACC+REC to build terms of sort P, I or C. 

Proof. In the terminology of [13], Z is a given sort and the relations / .m@g e" , 
one for each N € '7^ NT , constitute a relation parametrized by closed terms of the 
sort Z. Because Z is a given sort, we can safely identify closed terms of sort Z 
that are semantically equivalent and replace the third property of bisimulations 
given above to: 

- if Bi(h,I 2 ) and f.m@g E w h, then f.m@g E w I 2 . 

Because the relations f.m@g\E N constitute a relation parametrized by closed 
terms of a given sort, we can safely replace the rules for the operational semantics 
with the conclusions f.m@g E + i and f.m@g E~ i by the rules 

f.m@g E w i f-m@g E w i 

sg(iV) = l and sg(iV) = -l, 

f.m@g E + i f.m@g E i 

where N stands for an arbitrary closed term from 7^ NT . By these replacements, 
bisimilarity becomes an instance of bisimilarity by the definition given in [13] 
and the rules for the operational semantics of ACC+REC become a complete 
transition system specification in panth format by the definitions given in [13]. 
Hence, it follows by Theorem 4 from [13] that bisimilarity is a congruence with 
respect to all operators of ACC+REC to build terms of sort P, I or C. □ 

13 A Bisimulation Model of ACC+REC 

In this section, we construct a model of ACC+REC using the notion of bisim- 
ilarity defined in Section 12. It is a model in which all processes are finitely 
branching, i.e. they have at any stage only finitely many alternatives to proceed. 

Henceforth, we will write 3int for the initial model of INT, and Z for the set 
associated with the sort Z in 3int • 

The bisimulation model Q5acc+rec is the expansion of Jint, the initial model 
of INT, with 

- for each sort S € {P,I, C}, the set T s /t±; 

- for each constant Oo : S of ACC+REC with S e {P,I, C}, the element 
G T s /±± defined by = [OoU 

- for each operator Oi : S -> S' of ACC+REC with S 7 S' e {P,I,C}, the 
operation X : T s /t± -» T s >/t± defined by O^M^) = [Oi (*)]«; 

- for each operator 2 : S x S' -» S" of ACC+REC with S, 5", 5"' G {P, I, C}, 
the operation <> 2 : T s /t± x T s > /±± -» T s „ /±± defined by 2 ([ii]^, [t 2 ]^) = 
[0 2 (ti,f 2 )] t± ; 
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— for each operator #j. TO @ g : I — » Z with f,g G L and m € .M, the operation 
#f. m @g : T i/— ~* Z defined by # f _ m@ff is the unique interpretation in 
Hint of all N e T™ T for which /.m% E w /. 

The wcll-dcfinedness of the operations associated with the operators of ACC+ 
REC in QSacc+rec follows immediately from Theorem 1, except for the opera- 
tions associated with the operators #f. m @ g - The well-definedness of the opera- 
tions associated with the operators #/. m @ 3 in 25acc+rec follows immediately 
from Lemma 1 and the definition of bisimilarity. 

We have the following soundness result. 

Theorem 2 (Soundness). Let S e {Z,P,I, C} and let t,t' e T s . Then t = t' 
is derivable from the axioms of ACC+REC only ift = t' holds in 23acc+rec- 

Proof. It is sufficient to prove the soundness of each axiom separately. Because 
*B acc+rec is an expansion of 3int, it is not necessary to prove the soundness of 
the axioms of INT. For each of the remaining axioms except M1-M5, soundness 
is easily proved by constructing a witnessing bisimulation (for the witnessing 
bisimulations for the axioms of ACP+REC, see e.g. [2]). What remains are the 
proofs for axioms M1-M5. The soundness of these axioms follow immediately 
from the definition of # m@g and the rules of the operational semantics. □ 

14 Localized Processes 

If processes are looked at in isolation, it is convenient to abstract from the loci 
at which they reside. This brings us to consider processes made up of actions of 
the forms f.m and ~/.m. These processes are called localized processes. In this 
section, we extend ACC with localized processes. The resulting theory is called 
ACC lp . 

Henceforth, actions from A will also be called non-localized actions, and 
processes made up of actions from A will also be called non-localized processes. 

In ACCip, we have, in addition to the set A of non- localized actions, the set 
LA of localized actions consisting of: 

— for each / G C and m € M, the active localized action f.m; 

— for each / G C and m G M, the passive localized action ~/.m. 

Intuitively, these localized actions can be explained as follows: 

— f.m is the action by which a localized process requests a process residing at 
locus / to carry out method m; 

— ~/.m is the action by which a localized process grants a request of a process 
residing at locus / to carry out method m. 

It is not possible to perform localized actions synchronously. 

Different from ACC, ACCi p has two sorts of processes. That is, ACCi p has 
the sorts C, P, I and Z from ACC, and in addition the sort LP of localized 
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Table 9. Axioms for placement of localized processes 



@ f (5) = S 
@f(g.m) = g.m@f 
@f(~g.m) = ~p.m@/ 
@/(r + a)=® / (r)+@ / (a) 
@ f {r-s) =@f(r)-@f{s) 



PI 



P2 



P3 



P4 



P5 



processes. To build terms of sort C, ACCi p has the constants and operators 
of ACC to build terms of sort C. To build terms of sort P, ACCi p has the 
constants and operators of ACC to build terms of sort P and in addition the 
following operators: 

— for each / g C, the unary placement operator @ / : LP — > P. 

To build terms of sort LP, ACCi p has the following constants and operators: 

— the deadlock constant 8 : LP; 

— for each a g £A., the localized action constant a : LP; 

— the binary alternative composition operator + : LP x LP — > LP; 

— the binary sequential composition operator • : LP x LP — > LP; 

— the binary parallel composition operator || : LP x LP — > LP; 

— the binary left merge operator [[ : LP x LP — > LP; 

— for each H C A, the unary encapsulation operator 8h ■ LP — > LP. 

To build terms of sort I, ACCi p has the constants and operators of ACC to build 
terms of sort I. To build terms of sort Z, ACCi p has the constants and operators 
of ACC to build terms of sort Z. 

Terms of the different sorts are built as usual for a many-sorted signature. 
We assume that there are infinitely many variables of sort LP, including r, s, r' 
and s' . 

The constants and operators to build terms of sort LP need no further ex- 
planation. They differ from the constants and operators to build terms of sort 
P in that: (i) the (non-localized) action constants are replaced by the localized 
action constants and (ii) the communication merge operator | is removed. 

Let L be a closed term of sort LP. Intuitively, the operators @f can be 
explained as follows: 

— @f(L) behaves as L with each action g.m replaced by g.m@f and each action 
~g.m replaced by ~g.m@f. 

In other words, @j turns localized processes into non-localized processes by 
placing them as a whole in locus /. 

The axioms of ACCi p are the axioms of ACC, the axioms given in Tables 9 
and 10, and copies of axioms A1-A7, CM2-CM4 and D1-D4 from Table 1 with 
x, y and z replaced by different variables of sort LP, a standing for an arbitrary 
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Table 10. Axiom for parallel composition of localized processes 



r || s = r |[s + s |[r Ml 



constant of sort LP and H standing for an arbitrary subset of CA. Axioms PI- 
PS are the defining axioms of @/. Axiom Ml replaces axiom CM1. The latter 
axiom is not suited for the localized case because it is not possible to perform 
localized actions synchronously. 

Guarded recursion can be added to ACCi p as it is added to ACP in Section 3. 
We write ACCi p +REC for ACCi p extended with the constants standing for the 
unique solutions of guarded recursive specifications and the axioms RDP and 
RSP. 

As an example of a localized process, we give the localized buffer process B' 
defined by the guarded recursion equation 

B' = J2~f.c d -f.c d -B>. 

dev 

If g and h arc different loci, then the processes @ g (B') and @h(B') reside at 
different loci, but apart from that they are the same. The connection between 
B' and the buffer process B defined in Section 11 is couched in the equation 
B = @ g (B'), which is derivable from the axioms of ACCi p +REC. The placement 
operators are primarily useful in cases where 'copies' of the same process coexist 
at different loci. However, they are also useful otherwise to obtain more terse 
descriptions of processes. Much more complicated processes than buffers with 
capacity one are needed to illustrate this. 

In the structural operational semantics of ACCi p +REC, the following rela- 
tions are used in addition to the ones used in the structural operational semantics 
of ACC+REC: 

— a unary relation — > lp C 7£p , for each a e CA; 

— a binary relation -\ C 7£p x 7£p, for each a e CA. 

We write L A, P \J instead of L e A P \/ and L A P L' instead of (L,L r ) e A P - 
The relations can be explained as follows: 

— L A P y/ : localized process L is capable of first performing a and then termi- 
nating successfully; 

— L A p L': localized process P is capable of first performing a and then pro- 
ceeding as localized process P' . 

The structural operational semantics of ACCi p +REC is described by the 
rules for the operational semantics of ACC+REC, the rules given in Table 11, 
and copies of the rules without the side-condition a \ b = c from Table 7 with 
-^> p \/ and A p replaced by A P \/ and A p , respectively, x, x', y and y' replaced by 
different variables of sort LP, a standing for an arbitrary constant of sort LP 
and H standing for an arbitrary subset of CA. 

Constructing a bisimulation model of ACCi p +REC can be done on the same 
lines as constructing a bisimulation model of ACC+REC. 
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Table 11. Additional rules for operational semantics of ACCi p 



g.m , 

r hp V 


~g.m 

r W 


g.m , 

r hp r 


r hp r' 


@ f (r) > pV / 


@ f (r) >PA / 


@ /(r) jl^?l p 0/(r /) 


a /(r) ^^/ p @f{rl) 



15 Conclusions 

In this paper, wc have built on earlier work on ACP and earlier work on interface 
groups. ACP was first presented in [5] and interface groups were proposed in [7]. 
We have introduced an interface group for process components and have pre- 
sented a theory about process components of which that interface group forms 
part. The presented theory is a development on top of ACP. We have illustrated 
the use of the theory by means of examples, and have given a bisimulation se- 
mantics for process components which justifies the axioms of the theory. 

Two interesting properties of the interface group for process components 
introduced in this paper are: (i) the interface combination operator + is not 
idempotent and (ii) for each f,g £ C and m e M, the interface element constants 
f.m@g and ~g.m@f are each other inverses. Property (i) allows for expressing 
that a process component expects from a number of process components an 
ability or promises a number of process components an ability. Property (ii) 
allows for establishing on the basis of its interface that a process component 
composed of other process components is a closed system. 

Like in [7] , the inclusion of behavioural information in component interfaces 
has been deliberately rejected in order to have orthogonality between component 
interfaces and component behaviours. The distinction between active interface 
elements and passive interface elements made in this paper corresponds to the 
distinction between import services and export services made in [15]. Adapta- 
tions of module algebra [4] that allow for this kind of distinction arc investigated 
in [8]. However, interface groups are not considered in those investigations. 

Processes as considered in ACP have been combined with interfaces before in 
/iCRL [10] and PSF [12], two tool-supported formalisms for the description and 
analysis of processes with data. However, in /iCRL and PSF, interfaces serve for 
determining whether descriptions of processes are well-formed only. 
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